华为VPN技术

1. 启动设备

2. 配置IP地址

FW1\]int g1/0/0 \[FW1-GigabitEthernet1/0/0\]ip add 192.168.1.254 24 \[FW1-GigabitEthernet1/0/0\]int g1/0/1 \[FW1-GigabitEthernet1/0/1\]ip add 100.1.1.1 24 \[FW1-GigabitEthernet1/0/1\]service-manage ping permit \[FW2\]int g1/0/0 \[FW2-GigabitEthernet1/0/0\]ip add 192.168.2.254 24 \[FW2-GigabitEthernet1/0/0\]int g1/0/1 \[FW2-GigabitEthernet1/0/1\]ip add 200.1.1.2 24 \[FW2-GigabitEthernet1/0/1\]service-manage ping permit \[AR1\]int g0/0/0 \[AR1-GigabitEthernet0/0/0\]ip add 100.1.1.2 24 \[AR1-GigabitEthernet0/0/0\]int g0/0/1 \[AR1-GigabitEthernet0/0/1\]ip add 200.1.1.1 24 **3.** **配置Tunnel接口** \[FW1\]int Tunnel 0 \[FW1-Tunnel0\]ip add 172.16.1.1 24 \[FW1-Tunnel0\]tunnel-protocol gre \[FW1-Tunnel0\]source 100.1.1.1 \[FW1-Tunnel0\]destination 200.1.1.2 \[FW2\]int Tunnel 0 \[FW2-Tunnel0\]ip add 172.16.1.2 24 \[FW2-Tunnel0\]tunnel-protocol gre \[FW2-Tunnel0\]source 200.1.1.2 \[FW2-Tunnel0\]destination 100.1.1.1 **4.** **将防火墙接口加入指定区域** \[FW1\]firewall zone trust \[FW1-zone-trust\]add int g1/0/0 \[FW1-zone-trust\]q \[FW1\]firewall zone untrust \[FW1-zone-untrust\]add int g1/0/1 \[FW1-zone-untrust\]add int Tunnel 0 \[FW2\]firewall zone trust \[FW2-zone-trust\]add int g1/0/0 \[FW2-zone-trust\]q \[FW2\]firewall zone untrust \[FW2-zone-untrust\]add int g1/0/1 \[FW2-zone-untrust\]add int Tunnel 0 **5.** **配置OSPF** \[FW1\]ospf 1 \[FW1-ospf-1\]area 0 \[FW1-ospf-1-area-0.0.0.0\]network 100.1.1.0 0.0.0.255 \[AR1\]ospf 1 \[AR1-ospf-1\]area 0 \[AR1-ospf-1-area-0.0.0.0\]network 100.1.1.0 0.0.0.255 \[AR1-ospf-1-area-0.0.0.0\]network 200.1.1.0 0.0.0.255 \[FW2\]ospf 1 \[FW2-ospf-1\]area 0 \[FW2-ospf-1-area-0.0.0.0\]network 200.1.1.0 0.0.0.255 **6.** **配置路由条目** \[FW1\]ip route-static 192.168.2.0 24 Tunnel 0 \[FW2\]ip route-static 192.168.1.0 24 Tunnel 0 **7.** **配置防火墙策略** \[FW1\]security-policy \[FW1-policy-security\]rule name local-untrust \[FW1-policy-security-rule-local-untrust\]source-zone local \[FW1-policy-security-rule-local-untrust\]destination-zone untrust \[FW1-policy-security-rule-local-untrust\]source-address 100.1.1.0 0.0.0.255 \[FW1-policy-security-rule-local-untrust\]destination-address 200.1.1.0 0.0.0.255 \[FW1-policy-security-rule-local-untrust\]action permit \[FW1-policy-security-rule-local-untrust\]q \[FW1-policy-security\]rule name untrust-local \[FW1-policy-security-rule-untrust-local\]source-zone untrust \[FW1-policy-security-rule-untrust-local\]destination-zone local \[FW1-policy-security-rule-untrust-local\]source-address 200.1.1.0 0.0.0.255 \[FW1-policy-security-rule-untrust-local\]destination-address 100.1.1.0 0.0.0.255 \[FW1-policy-security-rule-untrust-local\]action permit \[FW1-policy-security-rule-untrust-local\]q \[FW1-policy-security\]rule name trust-untrust \[FW1-policy-security-rule-trust-untrust\]source-zone trust \[FW1-policy-security-rule-trust-untrust\]destination-zone untrust \[FW1-policy-security-rule-trust-untrust\]source-address 192.168.1.0 0.0.0.255 \[FW1-policy-security-rule-trust-untrust\]action permit \[FW1-policy-security-rule-trust-untrust\]q \[FW1-policy-security\]rule name untrust-trust \[FW1-policy-security-rule-untrust-trust\]source-zone untrust \[FW1-policy-security-rule-untrust-trust\]destination-zone trust \[FW1-policy-security-rule-untrust-trust\]action permit \[FW2\]security-policy \[FW2-policy-security\]rule name untrust-local \[FW2-policy-security-rule-untrust-local\]source-zone untrust \[FW2-policy-security-rule-untrust-local\]destination-zone local \[FW2-policy-security-rule-untrust-local\]action permit \[FW2-policy-security-rule-untrust-local\]q \[FW2-policy-security\]rule name local-untrust \[FW2-policy-security-rule-local-untrust\]source-zone local \[FW2-policy-security-rule-local-untrust\]destination-zone untrust \[FW2-policy-security-rule-local-untrust\]action permit \[FW2-policy-security-rule-local-untrust\]q \[FW2-policy-security\]rule name trust-untrust \[FW2-policy-security-rule-trust-untrust\]source-zone trust \[FW2-policy-security-rule-trust-untrust\]destination-zone untrust \[FW2-policy-security-rule-trust-untrust\]source-address 192.168.2.0 0.0.0.255 \[FW2-policy-security-rule-trust-untrust\]action permit \[FW2-policy-security-rule-trust-untrust\]q \[FW2-policy-security\]rule name untrust-trust \[FW2-policy-security-rule-untrust-trust\]source-zone untrust \[FW2-policy-security-rule-untrust-trust\]destination-zone trust \[FW2-policy-security-rule-untrust-trust\]source-address 192.168.1.0 0.0.0.255 \[FW2-policy-security-rule-untrust-trust\]action permit **8.** **配置NAT策略** \[FW1\]nat-policy \[FW1-policy-nat\]rule name trust-untrust \[FW1-policy-nat-rule-trust-untrust\]source-zone trust \[FW1-policy-nat-rule-trust-untrust\]destination-zone untrust \[FW1-policy-nat-rule-trust-untrust\]source-address 192.168.1.0 0.0.0.255 \[FW1-policy-nat-rule-trust-untrust\]action source-nat easy-ip \[FW2\]nat-policy \[FW2-policy-nat\]rule name trust-untrust \[FW2-policy-nat-rule-trust-untrust\]source-zone trust \[FW2-policy-nat-rule-trust-untrust\]destination-zone untrust \[FW2-policy-nat-rule-trust-untrust\]source-address 192.168.2.0 0.0.0.255 \[FW2-policy-nat-rule-trust-untrust\]action source-nat easy-ip **验证:** **1.pc2ping** **通pc1** ![](https://i-blog.csdnimg.cn/direct/a732c73bc621449690661d69fffe9810.png) **2.** **查看FW2防火墙会话表(看GRE协议的数据包走向)** ![](https://i-blog.csdnimg.cn/direct/cfd17827e61a47968bcf9fdb0043c93a.png) **3.** **查看NAT地址转换(pc2ping100.1.1.1时,查看防火墙会话表,可以看到私网地址转换成200.1.1.2后访问100.1.1.1)** ![](https://i-blog.csdnimg.cn/direct/98bd075ad39c4a01834d152e183ac23a.png) **4.** **抓FW2G1/0/1端口的包查看(GRE的端口是47)** ![](https://i-blog.csdnimg.cn/direct/324da126ab134f369df65e5ecfb4c322.png)

相关推荐
せいしゅん青春之我14 分钟前
【JavaEE初阶】网络原理——TCP报文结构、确认应答机制
网络·笔记·网络协议·tcp/ip·java-ee
梁萌1 小时前
Linux安装mysql8.4.6
linux·运维·mysql安装·8.4.6
FreeBuf_1 小时前
Ubuntu内核曝严重UAF漏洞,可致攻击者获取Root权限
linux·运维·ubuntu
☆璇2 小时前
【Linux】数据链路层
linux·服务器·网络
ifeng09183 小时前
HarmonyOS分布式任务调度——跨设备智能任务分配与迁移
分布式·华为·harmonyos
初学者_xuan3 小时前
零基础新手小白快速了解掌握服务集群与自动化运维(十六)集群部署模块——Keepalived双机热备
运维·自动化·github
行思理3 小时前
Dockerfile 各指令说明
运维·macos·docker·容器·php
电鱼智能的电小鱼3 小时前
基于电鱼 ARM 工控机的AI视频智能分析方案:让传统监控变得更聪明
网络·arm开发·人工智能·嵌入式硬件·算法·音视频
2501_915909064 小时前
网络调试工具推荐 Fiddler抓包工具使用教程与代理设置详解(HTTP/HTTPS配置与实战技巧)
网络·http·ios·小程序·fiddler·uni-app·webview
半梦半醒*4 小时前
k8s——资源管理
linux·运维·docker·容器·kubernetes·自动化